System and method for automatic forensic investigation

ABSTRACT

Automatic forensic investigation techniques to more effectively differentiate false positives from true positives. An incident is automatically investigated by a processor that communicates instructions to a device on a network and analyzes information received from the device in response to the instructions. In response to analyzing, the processor raises or lowers its level of confidence in the incident. If the processor&#39;s level of confidence in the incident is sufficiently high, the processor generates an output that indicates that the security of the network has been compromised. Otherwise, the processor ascertains that the incident is a false positive and may modify a criteria for alert generation.

FIELD OF THE DISCLOSURE

The present disclosure relates to security monitoring of a computer network.

BACKGROUND OF THE DISCLOSURE

An organization needs to be constantly vigilant in monitoring the security of its computer network. Threats to computer networks include cyberattacks, malware, and exploits.

SUMMARY OF THE DISCLOSURE

There is provided, in accordance with some embodiments of the present invention, apparatus for monitoring security of a computer network. The apparatus includes a network interface and a processor. The processor is configured to, via the network interface, receive, from one or more of a plurality of sensors associated with the computer network, one or more alerts indicative of a possible compromise to the security of the computer network. The processor is further configured to automatically investigate the alerts, by (i) communicating instructions to at least one entity on the computer network, and (ii) analyzing information received in response to the instructions. The processor is further configured to, in response to investigating the alerts, generate an output.

In some embodiments, the processor is configured to, by investigating the alerts, compute a level of confidence in the alerts, and to generate the output only if the level of confidence exceeds a given threshold.

In some embodiments, the apparatus further includes the plurality of sensors.

In some embodiments, the at least one entity includes one of the plurality of sensors.

In some embodiments, the instructions include instructions to an endpoint forensic sensor to scan an endpoint device on the computer network.

In some embodiments, the instructions include instructions to a file analysis sensor to scan a file.

In some embodiments, the at least one entity includes one of the plurality of sensors that did not generate any of the received alerts.

In some embodiments, the information includes at least one record of past network traffic over the computer network.

In some embodiments, the information includes at least one record of past activity of at least one endpoint device on the computer network.

In some embodiments, the processor is further configured to, in response to investigating the alerts, modify criteria for alert generation of at least one of the plurality of sensors.

There is further provided, in accordance with some embodiments of the present invention, a method for monitoring security of a computer network. The method includes receiving, from one or more of a plurality of sensors associated with the computer network, one or more alerts indicative of a possible compromise to the security of the computer network. The alerts are automatically investigated, by (i) communicating instructions to at least one entity on the computer network, and (ii) analyzing information received in response to the instructions. In response to investigating the alerts, an output is generated.

There is further provided, in accordance with some embodiments of the present invention, a computer software product including a tangible non-transitory computer-readable medium in which program instructions are stored. The instructions, when read by a processor, cause the processor to receive, from one or more of a plurality of sensors associated with the computer network, one or more alerts indicative of a possible compromise to the security of the computer network. The instructions further cause the processor to automatically investigate the alerts, by (i) communicating instructions to at least one entity on the computer network, and (ii) analyzing information received in response to the instructions. The instructions further cause the processor to, in response to investigating the alerts, generate an output.

The present disclosure will be more fully understood from the following detailed description of embodiments thereof, taken together with the drawings, in which:

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a schematic illustration of a system for monitoring security of a computer network, in accordance with some embodiments described herein; and

FIG. 2 is a flow diagram for a method for monitoring security of a computer network, in accordance with some embodiments described herein.

DETAILED DESCRIPTION OF EMBODIMENTS Overview

In embodiments described herein, a plurality of sensors are used to monitor a computer network. Each of the sensors is configured to generate an alert, if the sensor detects a possible compromise to the security of the network. A processor receives any alerts that are generated, and decides, based on the alerts, whether an incident should be opened.

A challenge in network security monitoring is that in order for the sensors to detect any possible threats to the computer network, the sensitivity of the sensors needs to be high. With high sensitivity, however, the sensors will generate many false-positive alerts, and hence, the processor will open may false-positive incidents. The processor must therefore be able to differentiate false-positive incidents from true-positive incidents.

One technique for differentiating false positives from true positives (either at the alert level or at the incident level) is to correlate between respective alerts received from different sensors. For example, the processor may ascertain that a given alert is indicative of a particular type of attack only if the processor has also received at least one other alert that historically has accompanied the given alert in cases of such an attack. Although helpful, however, the effectiveness of this technique in filtering out false positives is limited.

Hence, alternatively or additionally to employing the above-described correlation technique, embodiments described herein use automatic forensic investigation techniques to more effectively differentiate false positives from true positives. Upon the opening of an incident, the incident is automatically investigated by a processor. (It may be alternatively stated that the processor investigates the received alerts, since, effectively, the incident is representative of the received alerts.) To investigate the incident, the processor communicates instructions to at least one entity on the computer network, and analyzes information received from the device in response to the instructions. For example, the processor may issue instructions to one of the sensors, and/or another resource on the network such as an information repository, to communicate particular information to the processor. (In other words, the processor may query a sensor or information repository for particular information.) Alternatively or additionally, the processor may instruct a sensor, or other device on the network, to perform a particular task, and communicate the results of the task to the processor.

In response to analyzing the information that is received in response to the instructions, the processor raises or lowers its level of confidence in the incident. If, following the automatic investigation of the incident, the processor's level of confidence in the incident is sufficiently high, the processor generates an output that indicates that the security of the network has been compromised. Otherwise, the processor ascertains that the incident is a false positive.

In some embodiments, in response to ascertaining whether the incident is a true or false positive, the processor modifies the criteria for alert generation of at least one of the sensors that prompted the opening of the incident, and/or at least one of the other sensors. For example, in response to a false positive, the processor may lower the sensitivity of one of the sensors, and/or instruct the sensor not to generate an alert in the future if certain conditions are satisfied. Conversely, the processor may increase the sensitivity of a particular sensor, in response to identifying a true positive.

It is emphasized that the investigative techniques described herein differ fundamentally from methods that rely solely on the above-described correlation technique, at least in that the processor initiates an exchange of communication which, typically, would not have taken place if not for the initiative of the processor. In other words, the processor proactively investigates an alert by retrieving additional information or instructing that certain functions be performed, rather than merely waiting for additional alerts to arrive. Such investigative techniques facilitate a more effective and timely determination of whether an incident is a true or false positive, and further help increase the precision of the sensors.

System Description

Reference is initially made to FIG. 1, which is a schematic illustration of a system 20 for monitoring security of a computer network 30, in accordance with some embodiments described herein. Computer network 30 typically comprises an internal network, such as an intranet belonging to a corporation.

Network traffic is exchanged between network 30 and external networks, such as the Internet 22, via the perimeter 24 of the network, which may include, for example, a firewall and/or a gateway. The traffic passes through a first network tap 28 a situated in perimeter 24, which provides a copy of the traffic to relevant monitoring sensors.

For example, FIG. 1 shows a command-and-control sensor 26 monitoring the traffic passing through the perimeter. Command-and-control sensor 26 checks the traffic for possible communication exchanged with malware residing in network 30. For example, sensor 26 may attempt to identify instructions sent to or from malware, and/or data communicated by malware. Upon identifying such communication, sensor 26 generates an alert. The command-and-control sensor may monitor traffic that uses any relevant protocol, including Hypertext Transfer Protocol (HTTP), HTTP Secure (HTTPS), and the Domain Name System (DNS) protocol.

FIG. 1 further shows an exfiltration sensor 29, which monitors data leaving the network. Upon detecting a possible exfiltration of data from the network, exfiltration sensor 29 generates an alert. Exfiltration sensor 29 may monitor any relevant protocol, including, for example, file transfer protocol (FTP), HTTP, and HTTPS. Alternatively or additionally, an infiltration sensor 31, also shown in FIG. 1, may generate an alert upon detecting an apparent entry of an attacker, such as via email (e.g., spear phishing), drive-by-download exploits, or other techniques.

Network 30 comprises a plurality of interconnected devices, including, but not limited to, endpoint devices 32, and a data center 25 (or a plurality of such data centers). Data exchanged with endpoint devices 32 pass through a second network tap 28 b, while data exchanged with data center 25 pass through a third network tap 28 c. Additional monitoring sensors, which reside on the devices, and/or are connected to tap 28 b or 28 c, monitor the security of the network.

For example, endpoint forensic agents 33, which reside on devices 32, monitor the processes running on, and the files being used by, devices 32. Information from endpoint forensic agents 33 is passed to an endpoint forensic server 35, which generates alerts in response to the information. Endpoint forensic server 35 together with endpoint forensic agents 33 may be collectively referred to as an endpoint forensic sensor.

Typically, a file analysis sensor 34 analyzes files that were received from the network taps or from any of the other sensors, in order to detect any potentially malicious files. In some embodiments, file analysis sensor 34 effectively comprises two logical components: a static sensor scans files for potentially malicious content, while a dynamic sensor runs executable files to determine whether the files are malicious.

Alternatively or additionally, a lateral movement sensor 36, fed by network tap 28 b, may monitor traffic that passes between network nodes, and/or may monitor activity of endpoint devices 32, in order to detect any possible advance of an attacker within the network. Similarly, a data center sensor 23, fed by network tap 28 c, may monitor the flow of data to and from the data center, in order to detect unauthorized storage or retrieval of data.

Typically, system 20 further includes repositories of historical information. For example, a traffic repository 38 may store records of past network traffic, i.e., traffic that passed to, from, and/or within the network in the past. (Such information may be obtained via the network taps.) Alternatively or additionally, an endpoint-activity repository 40 may store records of past activity of endpoint devices. As further described below, such repositories provide historical information that may be used to facilitate the automatic investigation of incidents. Each repository may be implemented, for example, on a respective dedicated server.

In some embodiments, one or more of the repositories further function as sensors, i.e., the repositories may generate alerts upon the detection of suspicious activity. The repositories typically see a fuller picture of network activity than do the other sensors, and may thus complement the other sensors. For example, the traffic repository may determine whether a particular domain is suspicious, by analyzing the number of devices that have attempted to access the domain, and/or the frequency with which attempts to access the domain have been made. If, for example, a large number of devices have attempted to access the domain, it is unlikely that the domain is malicious, since this would imply that a large number of devices in the network are infected by the same malware. On the other hand, if only a small number of devices have attempted to access the domain, the traffic repository may determine that the domain is suspicious, and in response thereto, may generate an alert. The traffic repository thus complements the activity of command-and-control sensor 26, which sees the attempted accesses to the domain only one-by-one.

The same sort of statistical analysis may be performed by endpoint-activity repository 40, with respect to a particular file or process that is potentially malicious. For example, a particular file or process is more likely to be malicious if only a small number of devices on the network have accessed the file or run the process, relative to if a large number of devices have done so. (The above-described statistical analyses may also be performed as part of an incident investigation, as described below.)

Alternatively or additionally to the sensors and repositories described above, any other relevant type of network or endpoint sensor, or information repository, may be used. Moreover, the scope of the present disclosure includes providing any number of sensors and repositories of each type. Sensors and repositories may be implemented in hardware, software, or a combination of hardware and software elements.

System 20 further includes a unit that receives any alerts from the network sensors. Such a unit may be implemented, for example, on a server 46, comprising a network interface, such as a network interface card (NIC) 44, and a processor 42. Via NIC 44, processor 42 receives the alerts. The processor may then open incidents based on the alerts, and, as noted above, proactively investigate the incidents. For example, the processor may initiate the retrieval of appropriate information from the network, and/or issue instructions to a device and/or sensor on the network to perform a particular task, and communicate results of the task to the processor. In response to analyzing the retrieved information and/or results, the processor raises or lowers its level of confidence in the incident, until conclusion of the investigation.

The results of the investigation may then be presented to a user via a user interface 48, comprising, for example, a computer monitor and a keyboard. For example, if, based on the investigation, the processor ascertains that the security of the network has been compromised, the processor may generate an appropriate audio and/or visual output via user interface 48. In response to the output, the user may use interface 48 to conduct additional investigative work, and/or take appropriate action in response to the security threat. For example, the user may, via interface 48, issue instructions to the network perimeter to inhibit the exchange of communication between network 30 and the Internet.

Alternatively or additionally, at the conclusion of an investigation, the processor may generate an output that includes instructions communicated to network 30 via NIC 44. For example, in response to ascertaining that the security of the network has been compromised, the processor may instruct a particular endpoint device to disconnect itself from the rest of the network.

Alternatively or additionally, the results of the investigation may be securely shared with other parties, e.g., over the Internet. Similarly, processor 42 may use information from other parties to guide the investigation of an incident, and/or to issue appropriate instructions to the sensors. In this manner, organizations may collaborate with each other in fighting cyber threats.

Typically, computer network 30 comprises a single physical data bus that is shared by all of the devices and sensors in the network. Nonetheless, for clarity, FIG. 1 shows two separate data buses, since the channels of communication between the sensors and server 46 are logically distinct from the normal channels of communication between the interconnected devices of the network. Thus, for example, traffic repository 38 is shown connected to both the top and bottom “logical” buses; via the top logical bus, the traffic repository receives traffic that passes through the network, and via the bottom logical bus, the traffic repository communicates with server 46.

In general, processor 42 may be embodied as a single processor, or a cooperatively networked or clustered set of processors. Processor 42 is typically a programmed digital computing device comprising a central processing unit (CPU), random access memory (RAM), non-volatile secondary storage, such as a hard drive or CD ROM drive, network interfaces, and/or peripheral devices. Program code, including software programs, and/or data are loaded into the RAM for execution and processing by the CPU and results are generated for display, output, transmittal, or storage, as is known in the art. The program code and/or data may be downloaded to the computer in electronic form, over a network, for example, or it may, alternatively or additionally, be provided and/or stored on non-transitory tangible media, such as magnetic, optical, or electronic memory. Such program code and/or data, when provided to the processor, produce a machine or special-purpose computer, configured to perform the tasks described herein.

Incident Investigation

As noted above, typically, the processor investigates an incident by querying one or more sensors and/or repositories for information, and/or by communicating instructions to a particular device, sensor, or repository to perform a particular task and communicate the results of the task to the processor.

For example, command-and-control sensor 26 may generate an alert that indicates that a particular endpoint device accessed a suspicious domain, and further provides relevant details, such as the time at which, and the port from which, the domain was accessed. In response to the alert (alone, or in combination with other alerts), the processor may open an incident. The processor may then investigate the incident by first querying endpoint-activity repository 40 for the identity of the process that accessed the suspicious domain. The processor may then query the endpoint forensic sensor for details about the process, such as the executable file that ran the process. If the executable file belongs to the Windows™ system library and has a Microsoft™ certificate, the processor may ascertain that the incident is a false positive, or at least lower its level of confidence in the incident. Otherwise, the processor may instruct file analysis sensor 34 to scan the executable file, and use the results of the scan to help further the investigation.

As another example, the processor, upon opening an incident based on an alert from the endpoint forensic sensor regarding a particular file or process, may query the endpoint forensic server for more details regarding the file or process.

As another example, to investigate an incident regarding a potentially infected endpoint device—opened, for example, in response to one or more alerts from the lateral movement sensor and/or file analysis sensor—the processor may instruct the endpoint forensic sensor to scan the potentially infected endpoint device, and communicate the results of the scan to the processor.

As yet another example, to investigate an incident regarding a possibly malicious file, the processor may instruct the file analysis sensor to thoroughly scan the file. Alternatively or additionally, the processor may retrieve the file from the network, and subsequently thoroughly scan the file.

As yet another example, the processor may investigate an incident by instructing the traffic repository or endpoint repository to perform an analysis on historical data, such as the statistical analyses described above. Alternatively or additionally, the processor may itself perform such an analysis on the “raw data” retrieved from the relevant repository. That is, the processor may investigate the incident by (i) analyzing past traffic over the network, e.g., by retrieving at least one record of past network traffic from traffic repository 38, and/or (ii) analyzing past activity of at least one endpoint device on the network, e.g., by retrieving at least one record of past activity of at least one endpoint device on the network from endpoint-activity repository 40.

For example, the processor may open an incident, based on an alert from the command-and-control sensor that indicates that a particular endpoint device accessed a suspicious domain. To investigate the incident, the processor may query the traffic repository for a list of endpoints that accessed the domain in the past, e.g., over the last month. If a relatively large number of endpoints accessed the domain, the processor may ascertain that the incident is a false positive, or at least lower its level of confidence in the incident. Otherwise, the processor may raise its level of confidence in the incident, and/or may further investigate one or more of the devices that accessed the domain. Alternatively or additionally, the processor may query the endpoint-activity repository for the identity of the process that accessed the suspicious domain, and analyze the process.

In some cases, to investigate an incident, the processor retrieves, and analyzes, previously-received alerts, alternatively or additionally to performing the other investigative techniques described herein.

In some embodiments, in response to a received alert, the processor raises the sensitivity level of at least one of the sensors. For example, upon receiving an alert from a sensor that an attacker has possibly penetrated the network, the processor may raise the sensitivity level of the lateral movement sensor, whose primary function is to detect the advance of an attacker within the network. Subsequently, based on alerts and/or other information received from the lateral movement sensor, the processor may more effectively determine whether to open an incident, and/or may more effectively investigate the incident, relative to if the sensitivity level of the lateral movement sensor had not been raised.

In some embodiments, at the conclusion of an investigation, in response to ascertaining whether the security of the network has been compromised, the processor modifies the criteria for alert generation of one or more of the sensors. For example, the processor may investigate an incident that is based on an alert from a lateral movement sensor regarding suspicious communication between two endpoint devices. At the conclusion of the investigation, the processor may ascertain that the incident is a false positive, in that the endpoint that initiated the communication belongs to the network administrator, and hence, the communication was legitimate. In response thereto, the processor may instruct the lateral movement sensor not to generate any more alerts regarding such communication if such communication shows evidence of having been initiated by the network administrator, even if such communication otherwise appears to be suspicious.

Reference is now made to FIG. 2, which is a flow diagram for a method 49 for monitoring security of computer network 30, which is performed by processor 42, in accordance with some embodiments described herein.

Method 49 begins with an alert-receiving step 50, at which the processor receives an alert from a particular sensor. The processor first stores the alert (e.g., in a digital memory on server 46, and/or in a database external to server 46), at an alert-storing step 64. Next, at a correlating step 65, the processor correlates the newly-received alert with previously-stored alerts. Based on the correlation, the processor decides, at a decision step 62, whether to open an incident. In particular, if the newly-stored alert, in light of one or more of the previously-stored alerts, indicates a possible compromise to the security of the network, the processor decides to open an incident. (In some cases, the newly-received alert may be sufficiently indicative of a security compromise, such that the processor opens an incident even without first correlating the newly-received alert to previously-stored alerts.)

Further to opening an incident at an incident-opening step 66, the processor begins to investigate the incident. An investigation typically compromises multiple steps, executed in sequence by the processor until the level of confidence in the incident is sufficiently high (e.g., greater than a first, higher threshold) or low (e.g., less than a second, lower threshold). Each step of the investigation, performed at an investigation-step-performing step 56, may comprise any of the investigative techniques described above, and/or any other relevant investigative techniques.

Following each investigation step, the processor assesses the confidence level in the incident, at a confidence-level-assessing step 52. If the confidence level is sufficiently high, the processor ascertains that the security of the network has been compromised (i.e., that the incident is a true positive), and hence, generates an output, at an output-generating step 60, that informs a user of the situation and/or takes remedial action, as described above. Otherwise, the processor ascertains that the security of the network has not been compromised (i.e., that the incident is a false positive), and closes the incident, at an incident-closing step 68.

As described above, based on the result of the investigation, the processor may provide feedback to the sensors, at a feedback-providing step 58. In particular, the processor may modify the alert-generation criteria of one or more of the sensors that contributed to the incident, either by providing “negative feedback” that reduces the rate of occurrence of false positives, or by providing “positive feedback” that increases the rate of occurrence of true positives.

If all automatic investigation options have been exhausted, and the level of confidence in the incident is still indeterminate, the incident may be passed to network security personnel for manual investigation.

It will be appreciated by persons skilled in the art that the present invention is not limited to what has been particularly shown and described hereinabove. Rather, the scope of the present invention includes both combinations and subcombinations of the various features described hereinabove, as well as variations and modifications thereof that are not in the prior art, which would occur to persons skilled in the art upon reading the foregoing description. Documents incorporated by reference in the present patent application are to be considered an integral part of the application except that to the extent any terms are defined in these incorporated documents in a manner that conflicts with the definitions made explicitly or implicitly in the present specification, only the definitions in the present specification should be considered. 

The invention claimed is:
 1. A system for monitoring security of a computer network, the system comprising: a perimeter of a network comprising a command and control sensor directly connected to an external network; a network interface connecting the perimeter of the network to a server computer and at least one other entity on the network; at least one tap directing communications from the external network to the command and control sensor, wherein the command and control sensor analyzes the communications and issues to the server computer alerts indicative of a possible compromise to the security of the network; a processor connected to computerized memory storing computer implemented instructions on the server computer; a plurality of sensors connected on the network in communication with the processor; wherein the computer implemented instructions are configured to implement a method comprising steps to: automatically investigate the computer alerts by (i) communicating instructions to the at least one other entity on the computer network, wherein the at least one other entity comprises at least one of the plurality of sensors; and (ii) analyzing information received in response to the instructions; and compute a level of confidence in the computer alerts; generate an output when the level of confidence exceeds a given threshold, wherein the output is an indication of a security compromise transmitted on the network to at least one endpoint device; and in response to investigating the computer alerts, modify criteria for alert generation of at least one of the plurality of sensors.
 2. The system according to claim 1, wherein the instructions include instructions to an endpoint forensic sensor to scan a respective endpoint device on the computer network.
 3. The system according to claim 1, wherein the instructions include instructions to a file analysis sensor to scan a file.
 4. The system according to claim 1, wherein the at least one entity includes one of the plurality of sensors that did not generate any of the received alerts.
 5. The system according to claim 1, wherein the information includes at least one record of past network traffic over the computer network.
 6. The system according to claim 1, wherein the information includes at least one record of past activity of a respective endpoint device on the computer network.
 7. A method for monitoring security of a computer network, the method comprising: connecting a command and control sensor at a perimeter of a network to an external network; connecting a server computer to the command and control sensor and at least one other entity on the network, wherein the at least one other entity comprises a plurality of sensors connected to the network; placing at least one tap on the network; using the at least one tap on the network, directing communications from the external network to the command and control sensor, wherein the command and control sensor, analyzes the communications and issues to the server computer an alert indicative of a possible compromise to security of the network; automatically investigating the alert by (i) communicating instructions to the at least one other entity on the computer network, and (ii) analyzing information received in response to the instructions; and compute a level of confidence in the alert; generate an output when the level of confidence exceeds a given threshold, wherein the output is an audio and/or visual indication of a security compromise and wherein the output is transmitted on the network and used to disconnect at least one endpoint device from the network; and in response to investigating the alerts, modify criteria for alert generation of at least one of the plurality of sensors.
 8. The method according to claim 7, wherein the instructions include instructions to an endpoint forensic sensor to scan a respective endpoint device on the computer network.
 9. The method according to claim 7, wherein the instructions include instructions to a file analysis sensor to scan a file.
 10. The method according to claim 7, wherein the at least one entity includes one of the plurality of sensors that did not generate any of the received alerts.
 11. The method according to claim 7, wherein the information includes at least one record of past network traffic over the computer network.
 12. The method according to claim 7, wherein the information includes at least one record of past activity of a respective endpoint device on the computer network. 